Deploying/Undeploying Correlation Rules - Novell SENTINEL 6.1 SP2 - 02-2010 User Manual

 Use the
Use the

value to a set of previous events
TIP: You can select the Functions, Operators and Meta-Tags from the drop-down list selection.
Type or
e.
To create a custom or freeform rule:
1 Open the Correlation Rules Manager window and select a folder from the Folder drop-down
list to which this rule is added.
2 Click the Add button located on the top left corner of the screen. The Correlation Rule window
displays. Select Custom/Freeform Rule.
3 In the Custom/Freeform Rule window, write the condition for the rule and click Validate to test
the validity of the rule.
4 After validation of the rule, click Next, the Update Criteria window displays.
Update the criteria for the rule to fire and click Next.
5 Provide a name to this rule. You have an option to modify the rule folder.
6 Provide rule description and click Next.
7 You have an option to create another rule from this wizard. Select your option and click Next.

3.3.6 Deploying/Undeploying Correlation Rules

Correlation rules can be deployed or undeployed from the Correlation Engine Manager or the
Correlation Rule Manager. You can undeploy all rules or a single rule.
The rules can be associated with one or more actions. If no action is selected, a default Correlated
Event is generated with the following values:
Default Correlated Event Details
Table 3-2
Field Name
Severity
Event Name
76 Sentinel 6.1 User Guide
operator to refer to unpopulated fields
isnull
prefix for a field name in the window operation to compare an incoming event's
w.
in the Correlation Rule section to view the drop-down lists.
w.
Default Values
4
Same as the event name for the trigger event